Assistance Listings

State and Local Cybersecurity Grant Program Tribal Cybersecurity Grant Program

Objectives

The goal of the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) is to assist state, local, tribal and territorial (SLTT) governments with managing and reducing systemic cyber risk. This goal can be achieved over the course of the Period of Performance (POP) as applicants focus on their Cybersecurity Plans, priorities, projects, and implementation toward addressing the program objectives. Program Objectives for SLCGP and TCGP include: 1. Develop and establish appropriate governance structures, as well as plans, to improve capabilities to respond to cybersecurity incidents and ensure continuity of operations; 2. SLTT agencies understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments; 3. Implement security protections commensurate with risk (outcomes of Objectives 1 & 2); and 4. Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility. Performance Measures: • Percentage of entities with CISA approved state-wide Cybersecurity Plans • Percentage of entities with statewide Cybersecurity Planning Committees that meet the Homeland Security Act of 2002 and SLCGP funding notice requirements • Percentage of entities conducting annual table-top and full-scope exercises to test Cybersecurity Plans • Percent of the entities’ SLCGP budget allocated to exercises • Average dollar amount expended on exercise planning for entities • Percentage of entities conducting an annual cyber risk assessment to identify cyber risk management gaps and areas for improvement • Percentage of entities performing phishing training • Percentage of entities conducting awareness campaigns • Percent of entities providing role-based cybersecurity awareness training to employees • Percentage of entities adopting the Workforce Framework for Cybersecurity (NICE Framework) as evidenced by established workforce development and training plans • Percentage of entities with capabilities to analyze network traffic and activities related to potential threats • Percentage of entities implementing multi-factor authentication (MFA) for all remote access and privileged accounts • Percentage of entities with programs to anticipate and discontinue use of end-of-life software and hardware • Percentage of entities prohibiting the use of known/fixed/default passwords and credentials • Percentage of entities operating under the “.gov” internet domain • Number of cybersecurity gaps or issues addressed annually by entities

Examples of Funded Projects

Assistance Listing Description

Range and Average of Financial Assistance

For FY 2023 SLCGP, these are the estimates: All 50 States, the District of Columbia, and the Commonwealth of Puerto Rico will receive a minimum of $4,082,282 each; Each of the four territories (American Samoa, Guam, the Northern Mariana Islands, and the U.S. Virgin Islands) will receive a minimum of $1,020,570; $79,310,190, 50% of the remaining amount, will be apportioned based on the ratio that the population of each state or territory bears to the population of all states and territories.

Accomplishments

Account Identification

70-0413-0-1-453

Types of Assistance

A - Formula Grants

Credentials and Documentation

Eligible entities applying for a grant under this Assistance Listing must have an approved Cybersecurity Plan, Project Worksheet, and Investment Justification to have funds released. Eligible entities should also refer to the Notices of Funding Opportunity, once published, for additional documents required to apply for a grant. 2 CFR 200, Subpart E - Cost Principles applies to this program.

Applicant Eligibility

For SLCGP: States and U.S. Territories All 56 states and territories, including any state of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the U.S. Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands, are eligible to apply for SLCGP funds. For TCGP: Federally Recognized Tribal Governments Tribal governments may apply directly through the Tribal Cybersecurity Grant Program or may receive funds as subrecipients of the State and Local Cybersecurity Grant Program. “Tribal government” is defined as the recognized governing body of any Indian or Alaska Native Tribe, band, nation, pueblo, village, community, component band, or component reservation, that is individually identified (including parenthetically) in the most recent published list of federally recognized tribes.

Beneficiary Eligibility

State, Local, U.S. Territories, & Federally Recognized Indian Tribal Governments

Length and Time Phasing of Assistance

State and Local Cybersecurity Grant Program and Tribal Cybersecurity Grant Program funds are available to eligible applicants for the duration of the period of performance, which will be up to 48 months. For SLCGP: recipients in the 50 states must pass through at least 80% of the federal funds provided under the grant to local governments within 45 days of the release of the funds from FEMA. FEMA interprets the date that an entity “receives a grant” to be the date upon which FEMA releases the funding hold in the Non-Disaster Grants Management System (ND Grants) system. With the consent of the local governments, this pass-through may be in the form of in-kind services, capabilities, or activities, or a combination of funding and other services. 25% of the total federal award must also go to rural areas. This pass-through to rural areas is a part of the overall 80% pass-through; however, it should be emphasized that 25% of the total federal amount must be passed through to rural areas (defined in 49 U.S. C. 5305 as any area with a population of 50,000 or less). The local government pass-through requirement, including the rural area pass-through requirement, does not apply to the following: The District of Columbia, the Commonwealth of Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, the United States Virgin Islands, or a Tribal government. For TCGP: no pass-through requirement. Method of awarding/releasing assistance: lump sum

Use of Assistance

SLTT governments shall use the grant funds to: (1) implement the Cybersecurity Plan of the eligible entity; (2) revise the Cybersecurity Plan of the eligible entity; (3) pay expenses directly relating to the management and administration of the grant, up to 5 percent of the grant amount; (4) assist with activities that address imminent cybersecurity threats to the information systems owned or operated by, or on behalf of, the SLTT government; (5) fund any other appropriate activity determined by the Department of Homeland Security. An eligible entity applying for a grant shall agree to consult the Chief Information Officer (or equivalent), the Chief Information Security Officer, or an equivalent official of the eligible entity, in allocating grant funds under this program.All costs charged to awards must comply with the Uniform Administrative Requirements, Cost Principles, and Audit Requirements at 2 C.F.R. Part 200, unless otherwise indicated in the Notice of Funding Opportunity (“NOFO”), or the terms and conditions of the award. (1) IN GENERAL. —Any entity that receives funds from a grant under this section may not use the grant— (A) to supplant state or local funds; (B) for any recipient cost-sharing contribution; (C) to pay a ransom; (D) for recreational or social purposes; or (E) for any purpose that does not address cybersecurity risks or cybersecurity threats on information systems owned or operated by, or on behalf of, the eligible entity that receives the grant or a local government within the jurisdiction of the eligible entity. The supplanting prohibition shall not be construed to prohibit the use of funds from a grant under this program for otherwise permissible uses on the basis that the SLTT government has previously used SLTT funds to support the same or similar uses. LIMITATION ON CONSTRUCTION. —A grant awarded under this section may not be used to acquire land or to construct, remodel, or perform alterations of buildings or other physical facilities. Grant funds, including funds used to meet a cost share, may not be used for lobbying or intervention in federal regulatory or adjudicatory proceedings. In addition, federal funds may not be used to sue the federal government or any other government entity.

Deadlines

Preapplication Coordination

Preapplication coordination is required. Environmental impact information is not required for this program. This program is eligible for coverage under E.O. 12372, "Intergovernmental Review of Federal Programs." An applicant should consult the office or official designated as the single point of contact in his or her State for more information on the process the State requires to be followed in applying for assistance, if the State has selected the program for review. This program is eligible for coverage under E.O. 12372, "Intergovernmental Review of Federal Programs." An applicant should consult the office or official designated as the single point of contact in his or her State for more information on the process the State requires to be followed in applying for assistance if the State has selected the program for review. If applying for a grant to implement a Cybersecurity Plan, a state must consult and obtain feedback from local governments within its jurisdiction, to the extent practicable, regarding the elements of the state’s Cybersecurity Plan. Similarly, if applying for a grant to implement a Cybersecurity Plan, states must consult with local governments and associations of local governments, and as applicable, neighboring states or tribal governments, information sharing and analysis organizations, and neighboring countries to develop and coordinate strategies to address cybersecurity risks and cybersecurity threats for that state’s Cybersecurity Plan.

Application Procedures

2 CFR 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards applies to this program.

Notice of Funding Opportunities (NOFO) for this listing will be posted on Grants.gov (opens in new window) (opens in new window).

Criteria for Selecting Proposals

TBD by program

Award Procedure

TBD by program

Date Range for Approval/Disapproval

TBD by program

Renewals

Not Applicable.

Appeals

Not Applicable.

Policy Requirements

Reports

Audits

Records

Financial records, supporting documents, statistical records, and all other non-federal entity records pertinent to a federal award generally must be maintained for at least three years from the date the final Federal Financial Report (“FFR”) is submitted. See 2 C.F.R. § 200.334. Further, if the recipient does not submit a final FFR and the award is administratively closed, FEMA uses the date of administrative closeout as the start of the general record retention period.

Regulations, Guidelines, and Literature

The following 2 C.F.R. Part 200 requirements apply to this assistance listing: Subpart A, Acronyms and Definitions Subpart B, General Provisions Subpart C, Pre-Federal Award Requirements and Contents of Federal Awards Subpart D, Post-Federal Award Requirements Subpart E, Cost Principles Subpart F, Audit Requirements

Formula and Matching Requirements

Regional or Local Locations:

Headquarters Office: